The only real threat to the United States right now, the only real realistic threat is a large-scale cyberattack that denies us the critical infrastructure that makes our lives happy, healthy, and whole. And what we've seen in analysis of our systems, our SCADA, which are the networks that move everything from power to water to gas to all the things we need. Welcome to Embracing Digital Transformation, where we explore how people process policy and technology drive effective change. This is Dr. Daron, Chief Enterprise Architect, Educator, Author, and most importantly, your host. On this episode, Nation State Cybersecurity is Digital Transformation with Erick O'Neill, Former FBI Counterintelligence. Erick, welcome to the show. Daron, it's good to be here. Hey, it was very excited about when we started talking. I said, don't tell me anymore, Erick, because I want to save that. I need to hit the record button, so I'm really excited about what we're going to talk about today. But before we get started on Cybersecurity and Threat Nations and all this stuff, everyone knows on my show that I only have superheroes on the show. And every superhero has a background story. So Erick, what's your background story? Well, I don't know if I'm a superhero, but I do have a background story. And a pretty unique one, my earliest job that really matters was working undercover for the FBI. I was a counterintelligence and counterterrorism undercover operative, which meant I chased spies and terrorists all over mostly around Washington, DC and stopped them before they did whatever dastardly act they were planning. If we all right, that's super cool by itself. Right. The superhero, hero analogy. So most of that was working undercover on the street using a lot of classified technology, good old human intelligence gathering surveillance ops, whether it's vehicle versus on foot and tracking those targets to stop them before like I said they do whatever their plan was, either steal information or blow something up. And then at the very end of my career, by my choice, I was asked to join and go undercover in the most unique case the FBI had ever run to go undercover in FBI headquarters, which was unprecedented as myself, which was really weird to catch who turned a man who turned out to be the most damaging spy in US history, Robert Hansen. Hansen had spied for the Soviet Union. And then Russia, that's how long he spied. He survived for Wow. For 22 years of his 25 year career, he was known only under the code name Gray suit, this mythological legendary figure that the entire intelligence community had been hunting for decades. And at the very end of his career, before he was about to retire, months before he was about to retire, a former KGB source sold a small file of information to a very fortunate joint tax force between the FBI and CIA who opened it, thinking it was going to be someone else and that were shocked that it was Robert Hansen. The reason Hansen was the top FBI analyst for the Soviet Union and then Russia. And at one point during his career, he was asked to catch Gray suit. So he was asked to catch himself, which was insane, right? And so Robert Hansen, the FBI had to put together this very unique case in days. They gave him his dream job. They promoted him to executive service. They brought him back to FBI headquarters. They put him in charge of a section called the information assurance section, which was extensively building a cybersecurity for the FBI. And they had needed somebody to go undercover with him. And that ended up being me because I knew how to catch us by and turn on a computer. Because we were doing cybersecurity for the FBI, they needed someone who could sell the position and that ended up being me. That did manage to catch them. Yeah, I did manage to catch them in the end. I found a smoking gun in the case that made the legal case a slam dunk. And since then, I have been a national security attorney. I run a couple of companies, one that does cybersecurity, one that does competitive intelligence. And near and dear to my off my heart, my two favorite things in the world is I'm a global public speaker, that keynote speaker on cybersecurity and catching spies and espionage and an author. I've written two books. My first gray day is the story of how you caught how we caught Robert Hansen and my newest books, buys lies and cybercrime is everything you need to know to protect yourself in a world, an often dizzying world of cyber attacks. Yeah, yeah, we got to talk about the cyber attacks. The I just had on my show a personal security expert, both physical security and cybersecurity, which was very fascinating. But and it kind of starts with that personal cybersecurity. But we just touched a little tiny bit. I want to go a little bit deeper with you, Eric. But before we do that, I've got to ask a couple interesting questions about about going undercover as yourself. That I mean, that that's an incredible story all by itself. What how long ago was this that this happened? I mean, because he was he was he was in operation for 22 years. How long ago did we catch him and and were you involved in in that? I would call it a physical honey pot because basically that's what you guys did. You created a good way to that's a good way to describe it in essentially we got the FBI did a lot of hard work to get very lucky at the very end of his career. So he the FBI you have mandatory retirement at 25 years as a special agent. We we only learned about Robert Hansen learned that he was the biggest possible for gray suit in December of 2000. And he was going to retire in April of 2001 his mandatory retirement. So the FBI had to do something that would keep him in place and and and and sell a job that the FBI desperately needed that was going to allow us to extend his service and not force his retirement. So they give him his dream job they extend his his service in the FBI and they pay him more. So coming into that room 9930 and FBI headquarters on the ninth floor he had to be insanely suspicious that this what that the FBI had learned he was the spy and was closing the lid on a coffin just at the end of his career. For Hansen his problem was there were only two of us in that room me and him. So in order to determine whether this was an investigation or the FBI had just given him his dream job because he was the only one who could do it, which is what he wanted to believe. He could only attack me. And that was the big difficulty for for that investigation. I had to succeed at the over job of building cybersecurity for the FBI we had to prove we were doing something but also succeed at the covert job of number one not screwing up. Making sure that Hansen believed that this was a real job. Number two, finding the investigation that proved to us that he was the spy we've been after 22 years. And then number three, find the smoking gun that would lead to his arrest in the slam dunk conviction. You very rarely have a case where you succeed in all three of those. And it's amazing. Just by I'm not exactly sure still how I managed it but but we as a team and I and I as the undercover asset managed to catch Hansen. All right, let's we could talk about that all day but I want to get into you know the the nation threats that we're seeing here the the level and sophistication of the attacks that we're seeing are pretty astronomical. Everything from AID fakes and social engineering attacks to just brute force cyber attacks. It's it's all over the board right now. So it is what do we are do the nation the United States has never been more under siege in cyber warfare than today. And I talk a little bit about this in my first book and I carry it forward and really explain it in my second. You know the Cold War never ended for Russia and China has jumped on the bandwagon. Iran knows that the home way they can attack us here in the homeland is through cyber. And North Korea is basically just a bunch of robber barons who steal from countries in the West in order to improve their economy. Also they don't feel very finally toward the United States but cyber attacks cyber terrorism is cyber warfare allows any country that has a bone to pick with the United States to attack us on our homeland whether it's stealing information actually stealing money or preparing for future wars. What do I mean by that? I believe that the only real threat to the United States right now the only real realistic threat is a large scale cyber attack that denies us the critical infrastructure that makes our lives happy healthy and whole. And what we've seen in analysis of our systems our skater which are the networks that move everything from power to water to gas to all the things we need across the the United States and looking into critical infrastructure in itself is that those big four countries who are the broadest threat in terms of cyber threats to the United States China and then Russia and then Iran and North Korea in that order have been launching probe attacks and some successful cyber attacks in our critical infrastructure and that critical infrastructure is our power grid is our water right you want fresh water and then people forget that a big part of critical infrastructure is the removal of wastewater if you can't pull it and some you know or hit your drain on your sink that can cause serious problems especially in health but but also flow of gas and the things that we need telecom has been attacked finance sector has been attacked and these attacks are using the best espionage tactics to infiltrate to maintain persistence which means they hang around as long as they can and then see how deep they can get and how long they can can persist unobserved so perfect probe attacks and these are these are occurring in greater frequency it doesn't mean that tomorrow or next week there is going to be a large scale attack so you know don't run to your grocery store and hoard toilet paper but it does mean that if current geopolitical issues continue in the pace that they're going then the only way that these countries can hurt the United States is through a cyber attack and we do need to be ready for it and it's a drum I've been beating for some time hoping that any administration takes it up yeah you're not the only one my PhD dissertation was on this exact thing exactly OT and IT and and the cybersecurity best practices between them it's a disaster right now it is and it's you know if you look at large infrastructure companies and if you look at all the different pieces of infrastructure the only thing that's really saved us is unlike a great example right now is Ukraine Russia in their war against Ukraine and I you know in my book I have spent a chapter on the email that launched a war right they started all of their kinetics so now we have to talk about cyber attack versus kinetic attack war for you get two new terms right you you have to talk about one of the other because warfare is always part of both but Russia before even moving into Ukraine launched a large scale cyber attack that shut down the power in the power grids on the eastern uroblasts which are the Eastern most regions that touch Russia then they moved in and cover a darkness and they did this in the winter they just attacked them again to to shut off the power in Kiev this winter when things are freezing cold to make people miserable it is an incredible weapon now the difference between Ukraine and the United States is Ukraine has one central power grid run by by the Ukrainian government here in the US our power grid is state run private private and state partnerships federal it's it's this it's this huge patchwork grid but there have been analysis where and it's been shown by the twern energy if nine separate subgrids in the United States across the United States are brought down at once the entire grid collapses under its own weight so we are vulnerable it's just a lot harder for a threat actor to to do what russia because there's not one switch because we're very decentralized yeah you got to get a lot of switches in a lot of places without being seen that doesn't mean it's impossible it just means it's a little harder which is probably one of the reasons that it hasn't happened yet well and and if we talk beyond power if you talk water I mean how many different water districts I live in California just in California alone every counting is its own water district has its own pumps that's right it's own treatment plants has its own sewage all that stuff it's so that one is going to be really hard to attack but we're seeing more and more of these attacks and probes like you said on critical infrastructure what what can we do as a nation then to shore this up I mean we have a system right that is supposed to look at critical infrastructure and security and and frankly it sounds like they're moving back in that direction they they kind of went sideways there for a little bit but it seems like they're they're trying to buckle down a little a little better on a critical infrastructure right it's like hurting it's difficult well there are a couple of problems one you know the federal response hasn't been great and this isn't this isn't a partisan issue it hasn't been all great and in any of the last administrations I know that Trump won did pour some money into a state run and you know endeavor where a bucket of money was going to be given to state seasows if they were able to show the investments they were going to make in critical infrastructure I thought that was pretty important the problem was that it was so hard to get the money I was working with seasows in different states to help them as a national security strategist and as an attorney to help them figure out how to get those buckets of money and and it's mind-boggling that's the problem with administrative oversight and some of the red tape that happens and like you said that's across different administration that's just part in across different administrations it's been a grab bag you know at the end of the day we know exactly what has to happen you shore up those defenses you go out and you install better cybersecurity particularly around this this data switching networks you upgrade cybersecurity you weaken a lot of the the poor patching and you know failure to use to factor authentication all of the basics in cybersecurity the the the cybersecurity 101 right that that are the the 99% of things that you should be doing we are not doing across the board so that has to happen I mean that's that's just step one and step two is is improving cybersecurity with better technology using AI based heuristics and analysis and looking for threats or especially threats that try to maintain persistence and onward you know part of the problem and and I actually state this in our book I don't think a change in my book I don't think a change is going to happen until there is a large scale cyber attack well is that pretty typical though Eric I mean look it is I mean we go all the way back to World War 2 right we weren't ready for World War 2 until Pearl Harbor yes that's right and then all of sudden our manufacturing kicked in and everything kicked in I a lot of people are afraid to wake the dragon I think that's what Japanese Yamamoto said right I say I'm afraid we woke the dragon and they did right once the US pulls together and stops the right in fighting no one no one in the world can stop right once that that's 100% true but I think there's a more nefarious thing that we're missing and we worry so much about nation state threat actors and we should especially in critical infrastructure because look if China ever decides we really want Taiwan so we're taking the first thing they're going to do is launch a cyber attack here and then blame it on criminals and one of the reasons that they're able to do that is today I'm more worried about cyber criminal attacks on critical infrastructure here in the US if you just look at the last number of years they have taken down cities including Atlanta Dallas and others just for ransomware for ransomware right and double extortion attacks where they steal a lot of data on the population medical records and financial records and social security numbers and they tell the city you know we're going to publish all this if you don't pay because they know that now everyone has good backups and they can restore right and they have resilience the biggest wake up I think for the United States was the attack on colonial pipeline in way in out in your side of the woods in California one of the biggest distributors of fuel from the west coast to the east coast and when colonial pipeline was attacked then you talk about Ocent or you know your operational controls versus your administrative controls colonial pipeline was was attacked just on the administrative side by a cybercrime group yeah but their protocol said that if we can't immediately determine where the attack came from and where it landed we shut it all down because it could be a nation state attack I think that was the right call but the fact of the matter was because they didn't have the context the ability to say okay in our cybersecurity infrastructure we know that the attacker is here in the administrative side of things you know they're sitting in HR they're they're sitting in the exact function let's shut down all the administrative segment it from operational and continue to pump gasoline they didn't have the ability to do that they do now they didn't that they knew how yeah and uh and so they shut everything down and the the you know the United States went into crisis people forget this because it was during the pandemic so we were already in crisis but you couldn't get gasoline and a lot of places here in the east coast I tell a story about people getting in fist bites at one of my local gasoline gasoline stations here because they were lined up and they get the pumps are running out and people were getting upset and my thought was like why do you care nobody can drive anywhere anyway we're all working from home so it's stupid but yeah could you imagine Eric if we if the pandemic wasn't going on what mass chaos that wouldn't cost yes exactly and I mean the fact of the matter is that anything like this that is a chaotic event causes people to react in uncertain ways so you know it's not just your lights go out your power go out you can't get natural gas in your home to run your heater when these things happen people tend to freak out and attackers know that that kind of panic puts a pressure situation so the pressure situation for spies can be to cause chaos and disruption in the United States they could do it around an election they could do it around you know all sorts of events you know a fourth of July you know when people need their air conditions for cyber criminals they know that it creates pressure serious pressure and that pressure can be pressure to pay right because that's what they want and so what I've been saying for some time is the only difference between a foreign intelligence service cyber attack and a cybercrime syndicate cyber attack is the outcome they use the same tactics they use the same protocols the same tool bag they want they carefully recon they use reconnaissance to learn everything about you they find a person who will be their point of attack that's the person with access to controls they create a very sophisticated social engineering attack to fool that person into believing a lie they steal that person's username credentials password and their two-factor authentication then they get into your system they maintain persistence as long as they can to corrupt as much as they can and then here's the difference the spies escape having stolen your information they don't ever want you to know they're there or if it's critical infrastructure attack they bring down everything they can and disappear the criminals crash and burn and destroy everything on their way out and then tell you you pay us and we'll give you your data back we'll give you the keys to resurrect it and we won't dump your information on the dark web for everyone to see wow so all right so now that we've scared everyone's sufficiently aric because I mean but that's the reality of what's going on what can we as an individual person or or an organization especially around critical infrastructure yeah but the steps are really the same I came up with this methodology some time ago called paid because everybody can remember right paid and it's stand it's very simple it stands for prepare assess investigate and decide so as an individual you can do all of this and as a C-so of a large enterprise you can do the same thing the only difference is scale right so let's think of an of a individual we prepare a head of the threat we assess constantly because you because cybersecurity is not or security itself is not set and forget you've always got your radar off when your assessment says you have a problem you investigate so you need the tools to investigate you have to have the know how and you have to have the ability to do it and finally you decide to act one of the biggest problems in security and cybersecurity and in all aspects of this is people don't act they feel like I can't or it won't happen to me or they put their heads in the sand so part of paid is which is a loop is deciding to start the process so start with prepare ahead of any attack you have to prepare which means that personally you have to take a look at what you're doing are you going to sites where you're going to get into trouble and you know like what some of those are are you deploying to factor authentication and not relying on a password are you reusing passwords everywhere are you being careful in what you do online most cyber attacks on an individual today are leveraging impersonation attacks and confidence schemes attacks they are fooling you by pretending there's someone you trust so you have to use this be skeptical of everything trust lasts approach to everything that comes to you on the internet if it looks like your brother or sister it might not be or your best friend cyber criminals are using email as they're you know still the number one but they're they they know that we're getting more skeptical at about emails so they're attacking us through social media and they're attacking us through direct messages and social media and through text so we have to be very careful about what we're seeing and once you receive those texts or those emails or their social media DMs you need to assess that's part to a paid right see if it's true you know don't immediately click on links or open attachments because you think it's from your bank or you've just won the lottery or you've got this great deal that you just saw through your social media app when you're scrolling so always assess and put on what I say is put on your spy hunter hat and when your assessment says I think this might be a trick this is where you have to investigate do some work find out if that person actually sent you the link go online and see if this is a legitimate company trying to send you this great deal 50% off this new Valentine's Day gift right make sure that that video you just watched from somebody is true or not a deep bake and then finally you know if your investigation says I don't feel good about this decide to act follow that cop instinct that tipple in your stomach and and and don't get fooled by the cyber attack I I love you laid it out so simply without specific tools there which I which I love because right the tools used in a corporation are different than what I'm going to use yes at home right on a special on assess they've got tons of tools for assessing you know all that stuff but the basic steps are the same throughout all these so what do I do when I do investigate and I do see something bad can can I involve my decide to act is the right decision to call the FBI well that or it also depends for companies yeah for companies who think it could be a nation's state attack or a one of the high-end cybercrime syndicate who tend to come from China Russia you know North Korea Iran then then yes reaching out to the FBI's IC3 the internet crime complaint center is one important because they are the best map of statistics for these attacks we want to continue to show how many are happening and to they can provide some help if they think it's a nation state then they will come in and help if they think it's asking us they will come in and help but even if they don't it it is a good resource and it's important to report it on the other hand you know as a as a consumer you can go to to different local and state police agencies who you know will have a some half cybercrime divisions like for example I had a client New York in in Queens actually who was the victim of what we call a pig butchering attack there was a it was romance fraud where he thought that he had a romantic relationship with a woman that he met online and that they they went to text and she and it was actually she we found her and ended up being a cyber criminal who then with a with a gang of crime criminals defrauded him by getting him to invest in a fake investment scheme where you put a ton of his money the nice thing about where he was is they had a good cybercrime division who was able to quickly track the cryptocurrency investment he was making and freeze the wallet and repatriate a bunch of his money before it disappeared into the cyber criminals so our local authorities should be probably our primary our first local for cybercrime and then for for an intelligence then yesterday definitely the FBI. Local can be a grabback. New York big state lot of cybercrime and they know what they're doing if you're in a small jurisdiction somewhere in municipality your local police probably are just going to take the police report that helps you with insurance so at the end of the day what I say is we are responsible for protecting ourselves the number one thing that we as individuals have to do is learn about it is understand the different ways that we're being attacked if you can see the attack coming then you can defend against it yeah yeah and the only way to do that is counter intelligence you have to be a spy hunter you have to understand the different ways that they attack and there there are six different ways they attack they use deception they use infiltration impersonation confident schemes exploitation and destruction that that acronym by the way comes out to dice that's another cool one so you have that the counter intelligence is diced and the cyber spy hunting is paid and between the two of those you are a fully functional spy hunter who can see the attack coming and defend against it everyone to listen to this episode you're now a spy hunter you've been trained there you go by a real spy this is this has been really great Eric if people want to if they want to learn more they go out and buy your book is that probably the easiest way way way to go right certainly a couple things my book is available wherever books are sold and if you kind of like my voice you can listen to my audio book I read the book myself oh that's wrong because a lot of it is in the first person I it it there's a follow through story about a cyber attack against big company I was working with you're in the middle of a ransomware case and and how we solve the case and then I use a lot of storytelling for each of those different ways that cyber criminals attack and then for paid you know how you could protect against it so I use the ways that they've attacked in the beginning of the book to say like if you use pays here how you could have solved this problem you could solve storytelling but you can also reach out to me directly on my website ericoneal.net and every week on Tuesday morning I I publish a newsletter that keeps the book alive so it keeps updating the book you know every week with a lot of cyber attacks they never stop yeah yeah that's a lot of work and you can you can join that at ericoneal.net slash newsletter and join this the community of many thousands of people who we collaborate and when we're our goal is to make the world safe from cyber attacks I that is awesome Eric you're you're doing a great job out there and I appreciate I love what you what you brought very practical things that that my audience can can use today so thanks for coming on the show. Darren you're very welcome it was a pleasure and stay safe up there. Thanks for listening to Embracing Digital Transformation. If you enjoyed today's conversation give us five stars on your favorite podcasting app or on YouTube it really helps others discover the show. If you want to go deeper join our exclusive community at patreon.com slash Embracing Digital where we share bonus content and you can always connect with other change makers like yourself. You can always find more resources at EmbracingDigital.org until next time keep embracing the digital transformation.
